Introduction Flashcards
What are the two main approaches to information security?
The ability to resist certain threats, and the maintenance of objectives for the resources
Threats can give rise to what?
Violations
What are the three types of security violation?
Unauthorised information release, Unauthorised information modification and unauthorised denial of use
Security violations can occur because of what three things?
Inadequate physical controls, inadequate controls within a computer system and inadequate controls for communications networks
What is a vulnerability?
A vulnerability is a flaw in design or implementation of a system that could lead to a security violation
In order to exploit a vulnerability, what must be assumed of attackers?
Attackers must know about the vulnerability and must be able to exploit the vulnerability
What are the two main types of attacker?
Insider attacker and Outsider attacker
What is the CIA triad?
Confidentiality, prevention of unauthorised information release, Integrity, prevention of unauthorised information modification, and Availability, prevention of unauthorised denial of use
What can security be defined as in accordance with the CIA triad?
Security can be defined as meeting the CIA triad’s goals
When is a security goal from the CIA triad met?
A security goal is met if and when the corresponding security violation does not occur
Why is achieving a security goal difficult?
It is difficult to anticipate every way an attacker can cause a security violation
What is confidentiality?
Confidentiality is about preventing users from reading information they are not supposed to
What is integrity?
Integrity is ensuring that all information has been kept the way it is meant to be
What is availability?
Availability is ensuring that services are accessible on demand for authorised users
What is accountability?
Accountability is holding users accountable for all of their actions
What is reliability?
Reliability is ensuring that the service remains consistent
What is a security event?
A security event is an occurrence in a system which may indicate a security violation
What is security event management?
Security event management is putting in place a defined procedure for reporting and managing security events
What is data privacy?
The notion of protecting someone’s Personally Identifiable Information (PII)
What is the difference between computer security and network security?
Computer security is protection of data stored in memory, while network security is protection of data in transit
What is a security policy?
A policy is the ‘intentions and direction of an organisation as formally expressed by its top management’. A security policy is a policy that ‘includes security objectives or provides the framework for setting information security objectives’
What are security objectives?
Security objectives are the goals of the information security management system related to the assets of an organisation and the criticality of the assets
What are security controls?
A security control is a measure that is reducing risk. Controls include policies, processes and devices
What is risk assessment?
Risk assessment is the ‘overall process of risk identification, risk analysis, and risk evaluation’
What is risk analysis?
Risk analysis is the ‘process to comprehend the nature of risk and to determine the level of risk’
What is risk criteria?
Risk criteria are the ‘terms of reference against which the significance of risk is evaluated’
What is risk evaluation?
Risk evaluation is the ‘process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable’
What is risk treatment?
Risk treatment is the ‘process of modifying risk’ whether by ignoring it or creating controls